Major security flaw found in HTC Android devices

HTCA worrisome security flaw has been found in the HTC Sense user interface found on HTC’s Android smartphones. According to a report by AndroidPolice.com, a number of more recent HTC devices (including the HTC EVO 3D, EVO 4G, and Thunderbolt) contain a vulnerability that lets other applications gain access to information such as the account user list including email addresses, GPS location data, phone numbers from the phone log, SMS data and system logs.

I’d like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It’s like leaving your keys under the mat and expecting nobody who finds them to unlock the door. For a more technical explanation, see the section below.

The security flaw is tied to a logging tool called HTCLogger in HTC Sense that insecurely collects private data for use by HTC (on anonymous basis supposedly). Any application on affected devices that makes a single android.permission.INTERNET (normally used by any app connecting to the Internet) will access the information.

The report adds that HTC was notified of the flaw on September 24th but did not respond for over five days. It has finally acknowledged that it is aware of the issue:

“HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken.”

No resolution has yet been provided by HTC. For its part, AndroidPolice.com suggests that the issue can be resolved by removing HTCloggers from affected devices once they have been rooted.

Read more about this story: AndroidPolice.com and Engadget.com